Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Monthly Archives: May 2014

Sorry marijuana fans, the FBI won’t be recruiting cyber-sleuthing stoners any time soon.

FBI Director James Comey says he was being “funny” when he made a comment that the FBI should consider loosening drug policies for applicants to its cyber crime division.

What Comey was really trying to say, he clarified yesterday, is that a generation of potential cyber crime fighters is increasingly made up of dope-smoking hackers, which makes recruitment pretty challenging if you weed out all those recruits (sorry, pun intended).

Comey said at a white collar crime conference this week in New York that a lot of hackers who could potentially work for the FBI are pot smoking kids who “want to smoke weed on the way to the interview.”

After the comment was published in the Wall Street Journal on 20 May, Comey’s remark went viral – could it be an opening for pot legalization? America’s top cop says pot is OK? Really?

Well, US Senator Jeff Sessions put the lid on that idea right away.

Sessions, an Alabama Republican, was not amused by Comey’s remarks, telling Comey the comment would “undermine” efforts to combat drug use among young people.

“I was very disappointed,” Sessions told Comey, adding that the comment appeared to “make light” of marijuana use.

Sessions said it would undermine the efforts of law makers to discourage marijuana use:

Do you understand that that could be interpreted as one more example of leadership in America dismissing the seriousness of marijuana use? And that could undermine our ability to convince young people not to go down a dangerous path?

In his defense, Comey said he was trying to be “funny and serious” at the same time.

“I am determined not to lose my sense of humor,” Comey said in response. “But unfortunately there I was trying to be both funny and serious.”

He is still “dead set” against marijuana use, he said.

I waxed philosophic and funny to say, look, one of our challenges that we face is getting a good workforce at the same time when young people’s attitudes about marijuana and our states’ attitudes about marijuana are leading more and more of them to try it.

I am absolutely dead set against using marijuana. I don’t want young people to use marijuana. It’s against the law. We have a three-year ban on marijuana. I did not say that I’m going to change that ban. I said I have to grapple with the change in my workforce.

US law enforcement’s official position is still “no smoking.”

As it is today, the FBI bans applicants from having used marijuana for the past three years (so smoking weed in the past is not a complete disqualifier).

But, maybe, if the FBI continues to have a hard time recruiting suitable applicants, the topic will come up again.

The US Congress recently authorised the bureau to go out and hire an additional 2000 new staff, many of whom will be tasked with fighting cyber crime.

The FBI has a problem though – many of the best candidates for this type of role have a fondness for illicit herbs, Comey said – something that is currently a barrier to employment according to the bureau’s own drug policy.

The policy clearly states that anyone who has used marijuana in the last three years (and, by golly, you better not have taken any anabolic steroids since 1991) should not apply for any position within the agency.

So now Comey and the FBI are grappling with the question of how to amend the drug policy to allow more ganja-loving hackers into the FBI’s ranks.

Speaking to the White Collar Crime Institute, an annual conference held at Manhattan’s New York City Bar Association, he told delegates:

I have to hire a great workforce to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.

When one attendee asked Comey about a friend who had chosen not to apply to the bureau because of the existing rules, and his likely failure of a drugs test, Comey said “he should go ahead and apply”.

The current drug-free setup has already had a good week, following a coordinated series of global raids in which more than 100 people were arrested over the Blackshades Remote Access Trojan.

The Metropolitan Atlanta Rapid Transit Authority is in the midst of increasing security in a big way.

In the wake of the success from cameras on its 500-plus buses, MARTA is planning to install 1,600 additional cameras in two phases on its 330 train cars and at 38 stations, according to Monty Montgomery, emergency preparedness unit coordinator.

A trial of the train cameras from Apollo Video Technology will begin in June and will run for up to 40 days allowing MARTA and AVT to tweak the system as needed, Montgomery said. After that, MARTA will go into further installation on its trains.

MARTA is also is building a new Integrated Operations Center in Dunwoody, just north of the city. For the first time, and with a “huge video wall,” transit police and other relevant law enforcement agencies will be incorporated into one area with the goal of increasing communication and response times in emergencies, Montgomery said during the ASIS 2014 Media Tour.

The nation’s ninth largest transit system’s buses already have on-board analog cameras from AVT along with cameras at its stations for a total of 1,200. Approval for installing those cameras was a hard sell, but the ROI has been huge, Montgomery said.

Bus drivers, at first hesitant about the cameras, have come to appreciate them because attacks on drivers have fallen, with that most recent drop at 7 percent, Montgomery said.

Crime rates in general on the bus routes have come down, too, he said, and “we’ve seen a precipitous drop in false claims,” such as those where someone said, “This bus ran over my foot.” False claims can be disproved with the camera footage. The actual numbers haven’t been quantified yet but are in the works, he said, but they have come down.

“MARTA is safer,” he said, noting that even local mainstream media has written about that.

The bus cameras are analog but are automatically downloaded to digital footage when a bus nears a garage.

Drivers also have emergency call buttons, which give police instant access to video for an even grater tactical advantage, Montgomery said.

The current cameras are part of the Atlanta Police Department’s Video Integration System. The VIC also incorporates municipal cameras and cameras from the Atlanta airport, local college campuses, businesses, apartment and shopping complexes, and neighborhood associations, among others.

On the morning of the Media Tour visit, MARTA was preparing for an upcoming, full-scale emergency drill involving more than 30 law enforcement agencies over two counties. The Atlanta Police Department, FBI, DHS, Georgia Emergency Management, Georgia Department of Transportation and MARTA police, including its K-9 unit, Special Operations Response Team and bomb squad will participate, among other agencies.

MARTA’s K-9 unit consists of 15 dogs that can sniff out 14 different explosives; they train every day. Its mobile command center, the size of a bus, can patch in different radio feeds from various agencies. Its bomb squad includes a robot and a containment vessel.

Last year, MARTA received a “Gold Standard” rating from the TSA, based on the TSA’s Baseline Assessments for Security Enhancement.

Following an odd blog post which appeared overnight and then was quickly taken down advising eBay users to reset their passwords, eBay has now published its official statement informing its users about a cyberattack that compromised a database containing encrypted passwords and other non-financial data. Ebay says it currently has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence that the cybercriminals were able to access users’ financial info or credit card details, which is stored separately from the password data, and is also encrypted.

The company suggests that users still change their passwords as a precaution.

“Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers,” the company said in a statement released this morning. “We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”

More worryingly, the company said the attack compromised a “small number of employee log-in credentials,” as well, allowing the attackers unauthorized access to eBay’s corporate network. The company is now working with law enforcement and leading security experts to further investigate, it noted.

The database was not compromised recently, however. Instead, the attack took place between late February and early March. eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth were stolen. Though the passwords themselves can be reset this other personal data could aid in identity theft, if that was the criminals’ intention.

eBay, though, says it has not seen unauthorized access from these users’ accounts.

The company will alert users later today via email, site communications and elsewhere about this breach, and will ask users to reset their passwords at that time. If you used your eBay password on other websites as well, it’s suggested you change those, too.

“A Large Number Involved”

We asked eBay for more details on the number of accounts affected by this breach, and the company declined to say.

However, a spokesperson did inform us that “we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords.”

The company also declined to provide more information about the nature of the attack, potential suspects and how they were first alerted to the breach, saying only that they are working with law enforcement and security experts who are actively investigating.

Just before 5 AM ET today, TechCrunch was tipped that a post about this password breach briefly appeared on eBay’s website before oddly disappearing. A number of other websites, including CNET and Engadget also received this same tip. Apparently, someone at eBay had accidentally published ahead of schedule, then took it down.

The breach, which was discovered on February 26, 2014, was limited to those members who had spoken with the employee in question regarding payment of their premiums.

“This situation did not involve a compromise of Blue KC’s computer systems, payments made online to Blue KC, or payments made to other customer service representatives,” Blue KC director of corporate compliance Norma McKelvy explained in the notification letter [PDF].

The information that may have been stolen includes the affected members’ names, addresses, and credit card or bank account information.

“We want to apologize for this incident and assure you we continue to review this situation to further strengthen our safeguards and measures to prevent any future incidents,” McKelvy wrote. “This situation has been reported to local law enforcement and will be reported to the Department of Health and Human Services.”

All those affected are being offered one year of identity protection services through AllClear PRO.

Time for a reminder about password security. We have talked a lot about how to choose good passwords. But they are worth nothing if they don’t stay secret. This is about a quite simple scheme that tricks many users into revealing their e-mail passwords.

“John Doe found 4 new friends by searching his email contacts. Give it a try”. That’s what pops up in my Facebook now and then. You just have to submit your email and the password to your account. Facebook can then connect to your mail account, parse the contact list and match it against its own user database. Sounds simple and it sure works.

The drawback is of course that you at the same time grant Facebook full access to your mail, no matter what system it is hosted on. Facebook can not only read your contacts but also your mail messages and calendar items. Facebook could even manipulate the content in your account, delete items or send mail on behalf of you. I’m not claiming that they misuse account details in this way, but it’s best to not even give them the chance to do so. Facebook’s reputation for privacy isn’t exactly stellar and for me it’s a no-brainer that they can’t be trusted with secret info like one’s mail password. Frankly speaking, I haven’t even bothered to check what kind of privacy promise they make about this feature. Their promise is pretty irrelevant anyway, this is just simply a bad idea.

So don’t use this feature if Facebook offers it to you. If you have used it, your mail password is compromised and need to be changed ASAP. And this is by the way true for any other system that might offer a similar feature. Linkedin is one example.

To wrap up. Passwords are secret. They should only be entered into the system they belong to, into an app or program that is designed to use the system or into a password manager program you trust. Another I use is LastPass. They should not be kept on stickers or in files that aren’t properly protected. They should not be entered into other systems that promise to do something on your behalf (the Facebook feature falls into this category), unless you are 100% sure about the reliability of that system.

Apple has a new patent application published by the USPTO (via AppleInsider) that makes it easier to remember who you’re texting. This could help alleviate the incredibly painful SMS fails where you send a message to the wrong person, occasionally with catastrophic results. The system works using contact pictures employed in the background of text conversations as a big, glaring visual cue telling you exactly who’s receiving your communiqué.

The system would put the contact picture of the person you’re conversing with in the background of your message window, with your actual conversation overlaid on top. For group chats, the system suggests using multiple contact pictures for the backdrop, either arranged Brady Bunch style in a grid, or in a cycling carousel, or with various visual cues like showing some grayed out and one in color to indicate which one sent the last received message.

If there aren’t any images associated with a contact, the system could employ generic male or female avatars to at least give you some kind of cue. Also, the patent goes on to describe how this might be made available to other, third-party apps via API, too.

Text message fails aren’t as easy to fall into as DM fails, really, but they do still happen and they can still have disastrous effects. Apple’s patent seems like it could mess up the clean UI approach they’re going for, but it also includes provisions to make the images shown more subtle, like opacity changes, instead of just garish full color wallpapers. Like most Apple patents, it’s not likely to make its way to shipping product anytime soon, but it’s another example of the company’s targeted small UX changes in core phone experiences.

This latest update proves that Cupertino can move swiftly to fix security problems when it wants, so let’s hope that attitude is something we see more of.

By the way, eagle eyed readers will notice that this update applies to the most recent four versions of OS X, namely 10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks).

We’ve suggested several times that you should consider Snow Leopard “unofficially unsupported” because it hasn’t been getting security fixes since 10.9 came out.

We stand by that assessment, even though OS 10.6 is covered in this case: although this is a security fix, it’s not really a fix for the operating system components themselves, just for one of the many applications that run on it.

Having said that: if you have already installed iTunes 11.2 and have a Mac with more than one user account, consider this a critical update and grab it right away.

Note. This bug and the associated update apply only to iTunes on OS X. iTunes on Windows is not affected.

Google added biking directions to Google Maps and specialized maps that highlight bike routes a few years ago. If you are weak like me, though, and learned to bike in Holland, where the biggest obstacle is a dike, you don’t just want to know what streets to take, but also what hills you will have to huff your way up on the way to your destination.

Until now, Google was no help there and you needed to go to third-party sites that mashed up elevation data with Google Maps routes. Now, however, Google has quietly added this feature to Google Maps directly.

We asked Google about this and the company confirmed that this is indeed a new — and as of now unannounced — feature. It looks like the elevation profiles are available in all the 14 countries Google offers biking directions. These include Austria, Australia, Belgium, Canada, Switzerland, Germany, Denmark, Finland, Great Britain, Netherlands, Norway, New Zealand, Sweden and the US

Just look for a route on Google Maps, choose the biking directions and look for the new elevation profile. Besides the graphical representation of those hills you will have to climb, the new card also shows you the total number of feet you will have to climb on your route (and those joyous miles you get to just kick back and try not to die while you barrel down the hill on the other side).

The only time you won’t see the new elevation profiles, it seems, is for routes that are essentially flat.

For now, these profiles sadly don’t appear in any of Google’s mobile apps for Google Maps, but chances are the company will add it to those apps in the long run, too.

Target Corp. announced that CEO Gregg Steinhafel has stepped down from his position, effective immediately, less than five months after it was discovered the retail giant had been struck by a massive data breach.

Industry observers said Steinhafel’s de-facto ouster may be a turning point for enterprise information security’s importance in the C-suite, proving that CEOs must take infosec seriously — or face the consequences.

The Target data breach saga — resulting in the loss of approximately 40 million payment cards and the personal information of up to 70 million customers — has embroiled the retail giant since its discovery. Facing dozens of lawsuits, several congressional hearings, and a stock that as of press time had fallen 5.6% this year, Steinhafel seemed unable to move the company past the public relations hit it suffered as a result of the incident.

In a statement this morning, Target’s board of directors thanked Steinhafel, a 35-year veteran of the company and CEO since 2008, for his service, and said that current CFO John Mulligan would be taking over as CEO in the interim. Target director Roxanne Austin will assume Steinhafel’s board of directors’ responsibilities as interim non-executive chair.

“Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company,” said Target’s board in a statement. “We are grateful to him for his tireless leadership and will always consider him a member of the Target family.”

Steinhafel’s resignation follows on the heels of former Target CIO Beth Jacob’s exit in March. Jacob was reportedly the executive meant to be overseeing the company’s IT security program, as the company had never created the position of CISO. Bob DeRodes, Jacob’s replacement and a long-time tech executive, has been tasked with handling Target’s ongoing security efforts, including the hastened switch to a chip-and-pin payment infrastructure.

CEO ouster following breach ‘unprecedented’

Mike Rothman, analyst and president for Phoenix-based security consultancy Securosis, said he was “genuinely shocked” by Target’s decision to remove Steinhafel, noting that the move to axe a senior executive on the basis of a security incident is practically unprecedented.

“I’m pretty shocked that something like this would take out not just the CIO, but the CEO, and a 35-year guy at Target at that,” Rothman said. “I think that retailers are obviously public-facing and are at more risk as a result, but again, you’ve had so many public-facing companies that went through things like this and the leadership survived. That’s something I have not seen.”

John Kindervag, vice president and principal analyst at Forrester Research, agreed with Rothman that the resignation of Target’s CEO is a unique event for the security industry, but said that such action is long overdue for companies that experience major breaches, particularly when, in his view, executives remain uninterested in implementing proper security procedures.

Target had reportedly deployed top-of-line security equipment from established vendors, including FireEye Inc. and Symantec Corp., and also established around-the-clock security operation centers to manage its security technology, but according to Kindervag, the company’s failure to follow the basic tenets of the Payment Card Industry Data Security Standard showed an inability by its now-outgoing execs to take security processes seriously.

Even with the deck stacked against Target’s senior leadership, Kindervag said companies would normally look to make a CISO the scapegoat for a major incident. Target had failed to establish a dedicated security figurehead though — another strike against Steinhafel during his tenure as CEO — so the company first sacrificed the CIO and, with the effects of the breach still lingering, now the CEO.

“I’ve often said the CISO was designed to be fired,” Kindervag said. “Finally, some company understood that the buck ultimately has to stop at the highest level of executives, and if executives don’t care about security, there [has] to be consequences.”

The fallout of the Target data breach extends far beyond just the company’s ousted executives, according to Chris Eng, vice president of security research at Veracode Inc. C-suiters at organizations across all industries must now be aware that a costly, protracted security incident may well just land them in the hot seat — and those organizations still lacking a CISO will likely look more intently at creating and filling the position.

Rothman said most CEOs at Fortune 500-level organizations were already in contact with their CISOs just after the Target breach was reported, but with executives finally feeling the consequences of a security letdown, they’ll now be seeking assurances that they won’t be the next in line.

“When a 35-year guy gets his head cut off because of a security issue,” Rothman said, “all of these guys will feel vulnerable.”

Target’s next move

Eng said Target made a positive move in April when it appointed a security-savvy CIO in tech veteran Bob DeRodes, but that the Fortune 500 retailer has much work to do if it wants to re-establish trust with customers and rebuild its beleaguered security program.

First and foremost, according to Eng, Target must identify a CISO to head up the security program operationally and from a public-facing standpoint, and that would preferably report directly to the CEO. Just as importantly, the company must assess its security program, he said, and should begin by establishing a baseline of its overall security posture.

That means taking stock of its information assets, Eng noted, by determining what software development is going on within the organization, what the company is purchasing, what risks are being assumed with that purchased software, and so on. For a large-scale organization like Target, Eng said he expects that process to take at least one financial quarter, if not longer.

“It’s hard to make any specific roadmap for a security program until you figure out how good or bad you are in different areas,” Eng said. “With most large organizations, there’s no one central place where you can find that; you’ve got to go around and start piecing everything together.

“The initial compromise came through an HVAC vendor, so Target will have to think about the security of its entire supply chain,” Eng added, “but they can’t do that until they understand all of the pieces of the puzzle.”

Such a lengthy process will just worsen a breach that already costs a staggering amount, according to Kindervag, who had previously noted that the fallout from the incident could cost Target as much as $100 million. Now, he said, the price tag for the breach could rise to $1 billion or more.

Kindervag said other companies should keep that cost in mind when deciding whether to hire a CISO or follow good security practices, because despite many executives seeing security as a cost center, it’s generally much cheaper to do things right initially rather than pay the price later.

“The sky is almost the limit,” said Kindervag, in attempting to quantify how much Target will have to spend to repair the damage caused by the breach. “They’re going to spend orders of magnitude more than they would have spent by doing the right things up front.”